PAYMENT SCAMS

PayNow scam Singapore: how to spot a fake transfer before your account is drained

A buyer wants to "pay" you but sends a link to scan first. A bank texts that your PayNow "certificate" is expiring. You never click anything to receive PayNow, and the link is built to empty your account.

SB

SafeBrowz Threat Research Security ResearchJune 20, 20269 min read

How PayNow actually works, so you can see the lie

PayNow is Singapore's instant peer-to-peer transfer service, launched by the Association of Banks in Singapore (ABS) in July 2017 and run by the banks over the FAST network. You link a bank account to your mobile number, your NRIC or FIN, or, for a business, your UEN. After that, anyone can send you money by entering one of those identifiers. The funds arrive in your account in seconds.

Read that again, because the entire scam depends on you not knowing it: to receive PayNow you do nothing. You do not approve a request, you do not click a confirmation, you do not "verify" yourself, you do not scan a QR. The sender pushes the money to your identifier and it lands. The only person who taps anything is the one paying, and they do it inside their own bank app, not on a website you send them.

So when a "buyer" insists they cannot pay until you scan their QR or click their link, they have inverted reality. In a real PayNow transfer the receiver is passive. The moment someone asks the receiver to act, the request is fraudulent by construction.

The four shapes this scam takes in Singapore

The Singapore Police Force has issued repeated advisories on these variants. They look different on the surface but share one engine: get you onto a page that harvests your bank login, or get a malicious app onto your phone.

1. The fake marketplace buyer (Carousell, Facebook)

You list an item on Carousell or Facebook Marketplace. A keen "buyer" agrees to your price immediately, then says they will pay through PayNow or a delivery service, but first you must click a link or scan a QR to "receive" the payment or "confirm" the courier. The page is a counterfeit bank or PayNow login. In a December 2023 advisory the police flagged at least 132 victims and at least S$314,000 lost to fake-buyer phishing on Carousell and Facebook since that month alone. The tell is always the same: a real buyer never needs you to log in anywhere to send you money.

2. The fake "PayNow certificate expiring" text

In a December 13, 2024 advisory, the police described a campaign of text messages reading roughly: "Pay Now: Your certificate expires in 3 days. Renew it now at [link] to keep your services active." There is no such thing as a PayNow certificate you must renew. The link goes to a phishing site dressed as PayNow or your bank, and asks for your banking username, password, and one-time password. Those three things are all an attacker needs to log in as you and transfer everything out.

3. The fake bank or Singpass "verify" page

A message claims there is a problem with your DBS, POSB, OCBC, or UOB account, or that you must re-verify via Singpass. The link opens a near-perfect clone of the bank login or the Singpass screen. Whatever you type is captured live. Real banks do not send you a login link by SMS or WhatsApp, and Singpass login only ever happens at singpass.gov.sg or inside the official Singpass app.

4. The malware APK sideload

You answer an ad for cheap goods, services, or food, and the "seller" sends an Android app file (an APK) to download and install to "complete the order" or "make the PayNow payment." Sideloaded from a link, that app is malware. In the first half of 2023 the police logged more than 750 such malware cases with losses of at least S$10 million. Once installed, the app can read your screen, capture what you type into the real banking app, intercept one-time passwords, and authorise transfers remotely while your phone looks idle.

What the phishing links look like (illustrative)

The link is built to survive a one-second glance on a phone. It puts "paynow," a bank name, or "verify" into the address and hosts the page on a free platform anyone can register in minutes, so it looks polished while the real domain is not official. Genuine destinations are short and well-known: the banks at dbs.com.sg, posb.com.sg, ocbc.com, and uob.com.sg, and Singpass only at singpass.gov.sg. The examples below are illustrative lookalikes, not real sites.

• paynow-verify-sg.pages.dev
• dbs-secure-login.xyz
• singpass-reverify.top

Notice the structure: a trusted word ("paynow," "dbs," "singpass") is glued to a free-hosting suffix or a throwaway TLD. The true domain is the part immediately before the first single slash after https://. "paynow" sitting in front of pages.dev is just a page on a free platform that happens to contain the word, not PayNow. If you want to test a real link you actually received, paste it into the live checker below and let the scanner judge the domain for you.

Red flags that give it away every time

You do not need to inspect the code or spot the cloned logo. The logic of the request betrays it.

• You are asked to click, scan, or log in to RECEIVE money. This is the single biggest tell. Receiving PayNow is automatic. Any action demanded of the receiver is the scam.
• A "buyer" agrees instantly and then sends you a link. Real buyers haggle and then simply pay. A buyer who needs you to open a payment or courier page is harvesting your login.
• A text says your PayNow or bank "certificate" or account is expiring. There is no PayNow certificate. Urgency plus a link plus a login form is phishing.
• You are told to download an app from a link. Banking and payment apps come only from the Google Play Store or Apple App Store, never an APK or link a stranger sends you.
• The page asks for your full banking login plus a one-time password. A real PayNow transfer never asks the receiver for any of this. A page that collects it is a credential harvester.
• The domain is not your bank's official address. Anything with "paynow," "dbs," or "singpass" stuck onto a free-hosting suffix or an odd TLD is a different site that merely contains the word.

The one rule that defeats all four variants: verify direct

Every version of this scam works by routing you through a link the scammer controls. So refuse the link entirely and go to the source yourself. If a message claims something about your bank account, open your bank's own app that you installed from the store, or type the bank address yourself, and check. If it claims something about PayNow or Singpass, open the official Singpass app or singpass.gov.sg directly. If a buyer needs you to "confirm" a payment, tell them to just send the PayNow to your number and watch your own bank app for it to land. Never act on the link they handed you.

And if you genuinely cannot tell whether something is a scam, Singapore gives you a free second opinion: call the 24/7 ScamShield helpline on 1799 (or +65 6869 1799 from overseas) and ask. That number exists precisely so you do not have to decide alone under pressure.

What SafeBrowz sees when it inspects these pages

When the SafeBrowz engine inspects a fake PayNow or bank page, the attack reads consistently across all three detection layers. A few patterns stand out.

First, the hosting is free and disposable. The destination is almost always a subdomain on a free platform such as pages.dev, vercel.app, netlify.app, or web.app, or a brand-new cheap domain registered days earlier. Real banks and Singpass run on their own long-established official domains. A bank or PayNow brand keyword living on free hosting is itself the signal.

Second, the structure is a brand keyword on the wrong domain. The page carries "PayNow," a bank logo, or the Singpass mark, but resolves anywhere except the official address. Brand impersonation on a non-official registrable domain is a textbook detection profile, independent of how good the visual copy is.

Third, the page is a credential or one-time-password harvester. A "PayNow" page that immediately demands a full DBS, OCBC, or UOB login plus a one-time password, served from a non-bank host, fits the harvesting profile, and content-level analysis catches the impersonation even when the domain is brand new and on no blocklist yet.

One honest limit: SafeBrowz inspects the link and the page, not the binary. It flags the fake bank login page, the fake PayNow link page, and the lookalike domain, and it warns on the page that pushes you to download an APK. It does not open or inspect the APK file itself or look inside an app already installed on your phone, which is exactly why the "only install from the official store" rule still matters.

Why browser-side detection beats message filtering alone

Your phone and your messaging apps do real work flagging suspicious links, but they are fighting the message, and the message is the cheap part. Scammers rotate burner numbers and marketplace accounts daily, keep the chat short, and spin up a fresh free-hosting subdomain for each wave. A filter that misses one in a thousand still lets plenty through across a large campaign.

The thing that does not change is the destination. To steal anything, the scam has to land you on a page that impersonates your bank, PayNow, or Singpass. That page is where the theft is committed, and that page is what a browser-layer scanner inspects directly. When you tap the link, a browser extension can recognise the page is impersonating a bank on a non-official domain and block it before the form loads, regardless of which number or marketplace account delivered it.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1 - Local detection: 60+ URL patterns plus 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants) plus community whitelist and blacklist, all running directly in the extension before the page renders. It catches PayNow and Singapore bank brand keywords on non-official hosts, free-hosting abuse, and payment-page redirect families instantly.
• Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, plus domain-age lookup (most fake-PayNow destinations are days old) and 30+ scam TLDs and free-hosting suffixes.
• Layer 3 - AI deep scan: content-aware brand-impersonation analysis in 100+ languages catches a brand-new lookalike that no blocklist has seen yet, including the fake-PayNow-into-fake-bank-login chain.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

For people who do not want to install anything, the same engine powers the free public URL checker. Paste any link from a suspicious PayNow request and get a verdict in seconds. Our broader guide on how to tell if a website is a scam walks through the manual checks too.

What to do right now

If a PayNow link, QR, or "verify" message just landed, here is the whole correct response.

1. Do not click the link or scan the QR. The link is the entire attack surface.
2. Remember receiving PayNow is automatic. If anyone says you must act to get money, the request is fraudulent by definition.
3. Verify direct. Open your own bank app or type the bank address yourself. For Singpass, use the official app or singpass.gov.sg. Never act on the link you were sent.
4. Install apps only from the official store. Never sideload an APK a stranger sends. Banking apps come only from Google Play or the App Store.
5. If unsure, call 1799. The 24/7 ScamShield helpline will tell you whether it is a scam before you lose anything.
6. Report it. Use the resources at scamshield.gov.sg and the Singapore Police Force at police.gov.sg. For an emergency in progress, call 999.

If you already entered your banking login or a one-time password, or installed an app from a link, act fast: call your bank immediately using the number on your card or in the official app to freeze the account, turn the phone to airplane mode or power it off to cut a malware app's connection, change your banking passwords from a clean device, and lodge a police report. Then report through scamshield.gov.sg. Our full "I got scammed, what do I do now" walkthrough covers the first-hour playbook in detail.

How this connects to QR-code payment scams

The fake-buyer and fake-PayNow tricks are part of a wider wave of quishing, where a QR code, not a link, is the delivery method. The same logic applies: a QR code is just a link you cannot read, so scanning one a stranger sends is exactly as risky as clicking their link blind. We break that family down in our guide to QR-code payment scams and quishing. Treat any QR tied to a money request with the same suspicion, and verify direct every time.

Frequently asked questions

Can you get scammed receiving PayNow?

Not by the transfer itself, because receiving PayNow is automatic and requires no action from you. You get scammed when someone convinces you that you must click a link, scan a QR, or log in to "receive" the money. That page is a fake bank or PayNow login that steals your credentials. If you are asked to do anything to receive money, it is a scam.

Is PayNow safe to use?

Yes. PayNow itself, run by the Association of Banks in Singapore since 2017, is a safe instant-transfer service inside your bank's app. The danger is not PayNow but phishing sites and fake buyers that abuse its name. As long as you send and receive only inside your official bank app and never act on a link a stranger sends, PayNow is safe.

What does a real PayNow transfer look like?

The sender opens their own bank app, chooses PayNow, enters the recipient's mobile number, NRIC, FIN, or UEN, and sends. The recipient does nothing and the money lands in their account in seconds. There is no link to click, no QR to scan, and no Singpass login involved in receiving the money.

The bank texted me that my PayNow certificate is expiring. Is that real?

No. There is no PayNow certificate that you must renew. In a December 2024 advisory the Singapore Police Force warned of texts saying "your certificate expires in 3 days, renew it now" that link to a phishing site. Do not click. Open your bank app directly or call your bank using the number on your card.

Is it safe to install an app a seller sends me to complete a PayNow payment?

No. Never install an Android APK or app from a link a stranger sends. The police logged over 750 malware-app cases with at least S$10 million lost in the first half of 2023 alone. Install banking and payment apps only from the Google Play Store or Apple App Store.

How do I report a PayNow scam in Singapore?

Report it through ScamShield at scamshield.gov.sg and the Singapore Police Force at police.gov.sg. If you are unsure whether something is a scam, call the 24/7 ScamShield helpline on 1799, or +65 6869 1799 from overseas. For an emergency in progress, call 999. Keep the sender's number, the link, and a screenshot.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.

Add to Chrome Add to Firefox Add to Edge